Today, the US Department of Health & Human Services’ Office for Civil Rights (OCR) announced that Advocate Health Care Network (Illinois’ largest healthcare system) will pay a record $5.5 million settlement for violating HIPAA. The violations include failure to properly assess risks and limit access to electronic PHI (for example, an unencrypted laptop was left in an employee’s unlocked vehicle overnight); failure to have in place business associate agreements; and three data breaches, compromising the records of four million patients. With this record settlement (and other recent settlements setting previous record highs), OCR hopes to send covered entities a strong message that they must conduct comprehensive risk analyses and risk management to keep electronic PHI secure.